-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
FreeBSD-EN-16:02.pf                                             Errata Notice
                                                          The FreeBSD Project

Topic:          Invalid TCP checksums with pf(4)

Category:       core
Module:         pf
Announced:      2016-01-14
Credits:        Kristof Provost <kp@FreeBSD.org>
Affects:        All supported versions of FreeBSD.
Corrected:      2015-11-11 12:36:42 UTC (stable/10, 10.2-STABLE)
                2016-01-14 09:10:46 UTC (releng/10.2, 10.2-RELEASE-p9)
                2016-01-14 09:11:16 UTC (releng/10.1, 10.1-RELEASE-p26)
                2015-12-25 15:12:54 UTC (stable/9, 9.3-STABLE)
                2016-01-14 09:11:26 UTC (releng/9.3, 9.3-RELEASE-p33)

For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.

I.   Background

The pf(4) is one of several packet filters available in FreeBSD, originally
written for OpenBSD.  In addition to filtering packets, it also has packet
normalization capabilities.

II.  Problem Description

When running with certain network interfaces, capable for hardware transmit
checksum offloading, or TCP segmentation offload, pf(4) produces packets with
invalid TCP checksums.

III. Impact

The TCP packets with invalid checksums are rejected by the remote host,
leading to large performance impacts or inability to successfully run
a TCP connection.

IV.  Workaround

Disable transmit checksum offloading and TSO support on the affected
network interface:

# ifconfig ue0 -txcsum -tso

V.   Solution

Perform one of the following:

1) Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.

Reboot the system or unload and reload the pf.ko kernel module.

2) To update your system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

Reboot the system or unload and reload the pf.ko kernel module.

3) To update your system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 10.2]
# fetch https://security.FreeBSD.org/patches/EN-16:02/pf-10.2.patch
# fetch https://security.FreeBSD.org/patches/EN-16:02/pf-10.2.patch.asc
# gpg --verify pf-10.2.patch.asc

[FreeBSD 10.1]
# fetch https://security.FreeBSD.org/patches/EN-16:02/pf-10.1.patch
# fetch https://security.FreeBSD.org/patches/EN-16:02/pf-10.1.patch.asc
# gpg --verify pf-10.1.patch.asc

[FreeBSD 9.3]
# fetch https://security.FreeBSD.org/patches/EN-16:02/pf-9.patch
# fetch https://security.FreeBSD.org/patches/EN-16:02/pf-9.patch.asc
# gpg --verify pf-9.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system or unload and reload the pf.ko kernel module.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path                                                      Revision
- -------------------------------------------------------------------------
stable/9/                                                         r292732
releng/9.3/                                                       r293896
stable/10/                                                        r290669
releng/10.1/                                                      r293894
releng/10.2/                                                      r293893
- -------------------------------------------------------------------------

To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:

# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NNNNNN with the revision number:

<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>

VII. References

<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=154428>
<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=193579>
<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=198868>

The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-16:02.pf.asc>
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJWl9x3AAoJEO1n7NZdz2rnIj8P/jjLqxcU1FYUabDKbi/jIWR0
QhvJoIHKq8sXIS28gvfw8cftdPe1s29s6917WrYjyKn5oNYSVlrNqdATU9d3bVfK
eqmXyaROQZgfav5uTzckt93+iqri4dTbzWSRzDBv6/y00NPnPjF6qmMWAPSlnHjb
0Q0R3WMB3v/DWNq3/1WUWTrRQqe8p9lnfa2QNFBPyEairBIFOow/x69CxJIUsXmr
3PN5ODIZSye3LVpEK5RA166vtYaQXfN1kDZG9+PZCzNwAmGCx/NzRhOTD8BxCGoT
NhYSS2cjFxwnHI51+p01mloEaieGrxx+AzksXSN5QA/5vvQBE6uPFpAJishUymQB
BloQyzMuF4b8lAWsFcazASPim6Y5YhBb3fGbW3IqrlQN0kQhX6fC0+iCwK2Zd8Of
8Af3CG6ccbi3Aemf12iB/2a3MYR4h1i+cF575eayCZG27hh3tRs9kMGu6Wkte7hv
IY/mtf2SUbJ4zJeqLArNtd6+eud+YKGlprGXAOZSYHiBAtlAXjOtIXvV6hnmxV9L
ychUzODmXRmcFTAWTrsHn/GqxRyv6d3RRTZuf5JqE1Rg0wSify+5Uc2uAwYx+ja/
pQoOqi8PDOGfedjPe/PbGH5x7yTKCHVWU0+TZuzPevyTmHGTYBX5q0DM34lO/jAZ
da3+xuXShSg7DMloAeqr
=UOvf
-----END PGP SIGNATURE-----
